This document provides a sample configuration on how to configure a
WebVPN tunnel between a Cisco SSL VPN Client tunnel (SVC) and the Cisco VPN
3000 Concentrator that uses an internal database for authentication. The Cisco
SSL VPN Client supports applications and functions unavailable to a standard
WebVPN connection.

WebVPN provides Secure Socket Layer (SSL) VPN remote-access
connectivity from almost any Internet-enabled location that uses only a Web
browser and its native SSL encryption. This enables companies to extend their
secure enterprise networks to any authorized user by providing remote access
connectivity to corporate resources from any Internet-enabled location.

Ensure that you meet these requirements before you attempt this
configuration:

In order to use SSL VPN Client release 1.0.2, you must upgrade the
VPN Concentrator to release 4.7.2 or later. SSL VPN Client release 1.0.2 does
not operate with the VPN Concentrator that runs releases earlier than 4.7.2.

The information in this document is based on these software and
hardware versions:

VPN 3015 release 4.7.2.B, and SVC release 1.0.2.127

Windows 2000 PC using Internet Explorer 6.0 SP1

The information in this document was created from the devices in a
specific lab environment. All of the devices used in this document started with
a cleared (default) configuration. If your network is live, make sure that you
understand the potential impact of any command.

VPN Concentrators are not pre-programmed with IP addresses in their
factory settings. You have to use the console port to configure the initial
configurations which are a menu-based CLI. Refer to
Configuring
VPN Concentrators through the Console for information on how to
configure through the console.

After you configure the IP address on the Ethernet 1 (private)
interface, the rest can be configured either using the CLI or via the browser
interface. The browser interface supports both HTTP and HTTP over Secure Socket
Layer (SSL).

Complete these steps:

Type the IP address of the private interface from the web browser
in order to enable the GUI interface.

The factory default username and password are
admin which is case sensitive.

Once you are logged in as an Administrator, begin to install the
SSL VPN Client software to the VPN Concentrator.

This step is required only when you upgrade a VPN Concentrator from
an older release to 4.7. Choose Configuration > Tunneling and
Security > WebVPN > Cisco SSL VPN Client in order to install the
SSL VPN Client.

Note: New VPN Concentrators that run release 4.7 or later come
pre-loaded with the SSL VPN Client. By default, the SSL VPN Client is disabled
and you need to enable it. This is explained in step 4.

Select the WebVPN Tab in the same window in order to enable the SSL
VPN Client for group name sslgroup. Select the necessary
options.

The Cisco SSL VPN Client Keepalive Frequency
option is needed only to ensure that an SSL VPN Client connection through a
proxy, firewall, or NAT device remains open, even if the device limits the time
that the connection can be idle.

The Keep Cisco SSL VPN Client option ensures that
the SSL VPN Client is always installed in the client PC. If this option is not
selected, the SSL VPN Client needs to be installed every time you want a WebVPN
tunnel from the client PC.

When you generate the SSL certificate on the VPN Concentrator, always
use an IP address or DNS name of the interface. But, if you type something else
which does not match your inputs when you open the browser in order to connect
the SSL, you receive security warnings messages such as hostname
mismatch errors. You should type what you previously used when
the certificate was generated.

You can choose Administration > Certificate
Management, and delete and generate the SSL certificate in order to
fix this issue.

When you choose Generate, you get the
Administration > Certificate Management > Generate SSL
Certificate. At this window, you can generate the SSL certificate for
the interface to where you connect. At the Common Name
(CN) field, you need to fill this space with either an IP
address or the DNS name of the interface, which must be similar to what you
typed in the browser in order to make the SSL client connection avoid the
mismatch error message.

But, even though you do this, a window appears to let you know these
messages:

The security certificate date is valid.

The security certificate has a valid name that matches the name of
the page you attempt to view.

These messages have the green mark, but the yellow mark indicates that
the certificate is not yet stored under the trusted certificates of the IE
certificate store.

Click the third button of the View Certificate box in
order to save the certificate and no longer receive this error message. Choose
Install Certificate at the wizard and click
Next. Then, choose Place all the certificates in the
following store and click Browse.

Finally, choose the Trusted Root Certification
Authorities folder and click Next. Choose
Finish and Yes at the final warning window.
You should receive another message that says that the import was
successful.

Note: This is a process that you need to make in every computer that uses
the SSL client connection, because every computer needs to store the
certificate under its own certificate storage.

Complete these steps in order to troubleshoot your configuration. On
the VPN Concentrator you can enable Event Classes to log
events. This helps you to troubleshoot if your SSL VPN tunnel does not come
up.

If you encounter the Reason: bad handshake
type error, it could be due to a problem with the expired SSL
certificate on one or more interfaces of the VPN Concentrator. The workaround
is to delete the expired certificate and regenerate a new one for the
particular interface. Choose Administration > Certificate
Management and click Generate in order to renew the
certificate. Refer to
Obtaining
SSL Certificates for more information on how to generate a new
certificate.

With the introduction of SSL VPN functionality, HTTP/HTTPS access to
the Public interface became a necessity. The default configuration however, is
to allow SSL VPN access while disallowing management access to the same Public
interface.

Use this procedure in order to configure the VPN Concentrator so that
you can manage it from the public network for releases 4.1 and
later.

Note: This checkbox setting overrides the rules that the Public filter
defines (or whatever filter is applied to the Public interface). You do not
need to add rules to filters in WebVPN supported code.

In order to access the management screen from the Public interface,
the URL now becomes http[s]://<concentrator public IP
address>/admin.html.

Problem: The WebVPN users are not able to
authenticate against the RADIUS server, but can authenticate successfully with
the local database of the VPN Concentrator. Errors such as Login
failed and the message in this example screen shot are
seen.

Cause: These kinds of problems happen very often
when you use any database other than the internal database of the VPN
Concentrator. WebVPN users hit the Base Group when they first connect to the
VPN Concentrator and therefore must use the default authentication method.
Often this method is set to the internal database of the VPN Concentrator and
not a configured RADIUS or other server.

Solution: When a WebVPN user authenticates, the VPN
Concentrator checks the list of servers defined at Configuration
>System > Servers > Authentication and uses the top one. Make
sure to move the server that you want WebVPN users to authenticate with to the
top of this list. For example, if RADIUS should be the authentication method,
you need to move the RADIUS server to the top of the list to push the
authentication to it.

Note: Just because WebVPN users initially hit the Base Group does not
mean that they are confined to the Base Group. Additional WebVPN groups can be
configured on the VPN Concentrator and users can be assigned to them by the
RADIUS server by populating attribute 25 with
OU=groupname. Refer to
Locking
Users into a VPN 3000 Concentrator Group Using a RADIUS Server for a
more detailed explanation.